New Tools Face WLAN Threats

When Carilion Health System, a Roanoke-based healthcare company with a network of hospitals serving western Virginia, extended its wireless network to a small pediatric unit in a nearby town, senior network engineer Brian Brindle noticed a disturbing fact: "Every day after 5 p.m. the network would just get pounded on all night. This unit neighbors a large apartment complex, and someone was launching these fake access-point attacks all night, every night."

The would-be intruder attempted to use the AirJack maneuver (in which a special Linux driver is used to exploit vulnerabilities in 802.11-based networks) to get devices on the network to associate with it. Luckily the Carilion wireless LAN -- which runs a Cranite Systems Inc. Layer-2 encryption program overlaid with AirDefense Inc. 's Enterprise security suite -- was able to identify the rogue access point and shut it off the network.

"Enterprise brought the attacks to our attention, first off," recalls Brindle, "and the air termination feature knocked it down to keep devices from talking to that AP. Had we not had AirDefense, we would have had devices associating with that AP."

Persistent intruders in neighboring buildings are among the emerging security threats network managers are facing as wireless LANs proliferate in enterprises. Over the last two years, the spread of public WiFi hotspots and private enterprise WLANs has brought a whole new set of exploit and threat names into the security lexicon: "WiPhishing," "evil twins," "agile rogues," "aircrack," and so on. It's like a gallery of villains from the James Bond movies, lined up waiting to attack vulnerable wireless networks.

"I hate to say it," says Jack Gold, principal at J.Gold Associates, "but it's a bit like fighting Al Quaeda: you kill a couple of leaders and then 15 more pop up behind them."

The good news is that new authorization and encryption protocols beyond the sieve-like Wireless Equivalent Privacy continue to spread through businesses and other organizations, strengthening basic wireless security. And contrary to urban mythology, the types of threats, and the methods used, have not changed significantly over the last 12 months. But their sophistication and their brute force have increased along with the complexity of the networks themselves.

Predictably, IT managers are bombarded by a barrage of bewildering claims from vendors peddling an array of new security systems.

"Most new attacks seem to be either smarter versions of what we knew," contends wireless security expert Mike Kershaw, author of the widespread Kismet wardriving tool, "or procedure flaws in vendor implementations, such as the 'dumb-down WEP' attack."

Not just yet
Paradoxically, many wireless networking professionals expect the threats to proliferate as enterprises migrate from the more vulnerable WEP-based security systems to strong 802.1X-based authentication protocols.

"We're currently putting together a plan for getting rid of our WEP networks," comments Bo Mendenhall, senior information security analyst for health sciences at the University of Utah. "As we migrate more to 802.1X, I fully expect we'll see an increase in both the number of attacks and the skill level of the attackers."

That, of course, assumes that enterprises are making the jump to 802.1X authentication and the advanced WPA2 encryption method -- which, in many organizations, is not the case.

"It’s an evolution not a revolution," says Ellen Daley, principal analyst on the telecom and networks team at Forrester Research Inc. "I think the dirty little secret right now about wireless LAN is that, although 802.1X was ratified over a year ago, many enterprises are still not fully compliant."

At the same time, she says, enterprises need to upgrade to the WPA2 encryption standard. For many enterprises, such as the University of Utah, such upgrades will necessarily be part of a gradual process, piggybacking on top of more general network upgrades. And by choosing new equipment that is certified by the Wi-Fi Alliance -- which, in March, will make WPA2 security mandatory for its certification -- network managers can guarantee their networks carry the highest level of security currently widely available.

The cry-wolf effect
In fact, the latest versions of threat monitoring programs are so sensitive, and so fast, that "false positives" -- high numbers of alarms spotlighting benign or irrelevant activities on the network -- have become a problem in themselves. Anxiety, in many cases, has become a serious drag on productivity.

For that reason, several security vendors including AirDefense have progressed from a "threat monitoring" system to "threat assessment" capability.

"We've moved away from issuing hundreds of alarms to giving people an assessment of the level of threats," says Anil Khatod, CEO of AirDefense, of his company's latest Enterprise 7.0 release. "We use a proprietary algorithm to determine how relevant the threat was to you, whether it's more relevant in your environment than mine, and so on. It's a self-learning system that continues to build a knowledge base so it can give you a threat assessment of any single event, across the entire facility or enterprise."

That, says Carilion's Brindle, has made his job easier. "Now, instead of giving you a generic alarm message, Enterprise tells you 'This client is issuing too many control frames and this is what I think it's doing and why it's doing it.' It gives you a profile or signature of particular events and diagnoses them. It's a whole forensics model not found in the previous versions."

Infected machines
In the largely open-access environment of campus networks, as opposed to more closed business environments, it's not false alarms but real viruses and worms, imported to the network via regular users and guests logging on with infected laptops, that now constitute one of the biggest wireless LAN network security issues.

"That was one of the major threats," agrees Ramon Perez, the network manager at Fordham University, who manages a hybrid network of Airespace/Cisco Systems Inc. (Nasdaq: CSCO), Aruba Networks Inc. (Nasdaq: ARUN), and Enterasys Networks Inc. access points. The New York campus uses Perfigo Inc. security software to quarantine users attempting to log onto the network, check for viruses and software updates, and block them from the network if they aren’t compliant.

"If the laptops are not secured, then they don’t get on the network," Perez says. "We have removed a lot of the security threats using Perfigo."

Perfigo was acquired by Cisco for $74 million in October 2004. (See Cisco Picks Up Perfigo.) The firm's "CleanMachine" gateway software runs on Linux servers and can be used across wireless and wired networks.

The human factor
Still, the major threat to wireless enterprise LANs continues to be rogue access points -- often ones that are set up not by hackers but by well-meaning employees. As Graham Greene might say, you can't avoid the human factor. "There are still lots of ostrich companies, with their heads in the sand, saying we don't want wireless," observes Jon Green (no relation), senior product manager at Aruba. "They don't realize they're setting themselves at risk, because their employees will want it -- they'll go out and buy an access point and plug it in and now your entire network is being broadcast."

And that means that for network security pros working in today's complex, multi-vendor/multi-technology environment, the tightest wireless security must include not only implementation of Wi-Fi Alliance-certified gear featuring the latest security protocols but education of individual users on the network.

What may undermine all that is IT managers' reliance on the network and the end-user always behaving properly and following acceptable-use policies. "All the good net-security software in the world can't prevent a user from saying 'Sure, I like elf bowling. Let's download that,' " says security maven Kershaw. "Security shouldn't rely on the user making smart choices."

— Richard Martin, Senior Editor, Unstrung and Dan Jones, Site Editor, Unstrung

Be the first to post a comment regarding this story.
Sign In